Lawsuit alleging Gmail ads are “wiretapping” gets judge’s OK

Non-Gmail users never agreed to have their e-mail scanned, lawyers say.

It's widely understood that the ads Google puts in Gmail are based on the content of e-mails. The millions of Gmail users presumably accept the company's promise that "no humans read your e-mail."

Despite that, a lawsuit claiming that Google's practice violates pre-Internet anti-wiretapping laws will be going forward. Lawyers representing non-Gmail users of various stripes in a class-action lawsuit say their clients never agreed to have their e-mails intercepted and scanned by Google. They argue that Google's "interception" of those e-mails violates federal anti-wiretapping laws and state privacy laws. And today, US District Judge Lucy Koh agreed with them, refusing to grant Google's motion to dismiss the case.

Even an e-mail sender who read the company's privacy policies "would not have necessarily understood that her e-mails were being intercepted to create user profiles or to provide targeted advertisements," stated the judge. The plaintiffs in this case haven't consented implicitly or explicitly to have their e-mails scanned, and so the lawsuit can move forward, she ruled.

Some of the plaintiffs do use Google mail, but they're not free Gmail users, who would have agreed to Google's ad-scanning terms when they signed up. Rather, they're users of non-ad-based e-mail, including some of Google's own paid services, like Google Apps for Education. Those users of non-Gmail services didn't agree to get their e-mails scanned by the service, their lawyers argued.

The proposed classes of plaintiffs—and there are several—are potentially huge. One includes "all US citizen non-Gmail users who have sent a message to a Gmail user and received a reply or received an e-mail from a Gmail user."

No, really, they’re all cool with it

In its defense, Google said that those users gave "implied consent" to Gmail's business practices when they chose to e-mail Gmail users. "Google's theory is that all e-mail users understand and accept the fact that e-mail is automatically processed," not just for advertising but for things like spam filtering, which is vital to running a modern e-mail service. In its motion to dismiss, Google described this class action lawsuit as an attempt to "criminalize ordinary business practices" that were nearly a decade old.

Koh didn't buy it. Google's theory that non-Gmail users had offered "implied consent" when they shot off an e-mail to a Gmail user would "eviscerate the rule against interception," she wrote.

Even for users who may have read some company policies, Koh found that Google's disclosures were lacking. They suggest that Google ads "were based on information 'stored on the services' or 'queries made through the Services'—not information in transit via e-mail," she wrote. Google also doesn't disclose that it uses e-mails to build "user profiles," not only to serve up the immediate advertisements.

Google did succeed in getting certain state law claims thrown out of the lawsuit, including claims under Pennsylvania law and some California state law claims.

The search giant hasn't lost this lawsuit—there's a long way to go. The plaintiffs have a lot of work ahead of them, including getting their case accepted as a class action. The fact that Google wasn't able to knock the case out on a motion to dismiss does increase the chances of a settlement, but it seems likely Google will fight tooth-and-nail on an issue like this. The company is already fighting hard against an adverse ruling that anti-wiretapping laws apply to its Wi-Fi data collection screwup. It suffered that ruling at an appeals court earlier this month and has asked for it to be reconsidered.

One user of an academic email system powered by Google told Ars he agreed with at least some of the sentiment of the lawsuit, in that Google hadn't fully disclosed how it was using emails it distributed.

"Here at Berkeley, I repeatedly asked both lawyers and engineers whether our gMail-powered email system, bMail, would profile students," said UC Berkeley law prof Chris Hoofnagle in an email to Ars. "They said there would be no ads, but would not make a writing about other data mining of bMail content. We certainly did not consent to all of this, and in retrospect, I feel (as a relatively sophisticated player in this field) misled by the Google people."

Joe Mullin / Joe has covered the intersection of law and technology, including the world's biggest copyright and patent battles, since 2007.

249 Reader Comments

I know it's highly impractical to selectively scan emails in order to comply to a ruling were Google to lose a lawsuit like this one. However, I kinda agree with the Judge's reasoning here. It'll be interesting to see how this proceeds.

I don't like the idea that Google can build up a personal profile based on my emails to other people even when I myself don't use any Google services.

This. I run my own e-mail server. But 50% of all my e-mails are to my girlfriend who uses.... GMail! So half of all my e-mail messages are parsed by Google. I never consented to that. In fact, other than youtube, I use no google services. Switched to searching with bing a couple of years ago, and this sort of shenanigans was the reason why.

I don't like the idea that Google can build up a personal profile based on my emails to other people even when I myself don't use any Google services.

This. I run my own e-mail server. But 50% of all my e-mails are to my girlfriend who uses.... GMail! So half of all my e-mail messages are parsed by Google. I never consented to that. In fact, other than youtube, I use no google services. Switched to searching with bing a couple of years ago, and this sort of shenanigans was the reason why.

Convince her to get a private key. Won't stop them from analyzing metadata or the emails you've already exchanged, but it's better than nothing.

I don't like the idea that Google can build up a personal profile based on my emails to other people even when I myself don't use any Google services.

This. I run my own e-mail server. But 50% of all my e-mails are to my girlfriend who uses.... GMail! So half of all my e-mail messages are parsed by Google. I never consented to that. In fact, other than youtube, I use no google services. Switched to searching with bing a couple of years ago, and this sort of shenanigans was the reason why.

Convince her to get a private key. Won't stop them from analyzing metadata or the emails you've already exchanged, but it's better than nothing.

Convince a girly-girl to get something called a private key? She doesn't think any of this is a problem she needs to worry about, just like most of the rest of Internet. They gave up their privacy for little convenience.

I don't like the idea that Google can build up a personal profile based on my emails to other people even when I myself don't use any Google services.

This. I run my own e-mail server. But 50% of all my e-mails are to my girlfriend who uses.... GMail! So half of all my e-mail messages are parsed by Google. I never consented to that. In fact, other than youtube, I use no google services. Switched to searching with bing a couple of years ago, and this sort of shenanigans was the reason why.

Convince her to get a private key. Won't stop them from analyzing metadata or the emails you've already exchanged, but it's better than nothing.

Convince a girly-girl to get something called a private key? She doesn't think any of this is a problem she needs to worry about, just like most of the rest of Internet. They gave up their privacy for little convenience.

Problem exists between keyboard and chair. Also, I know lots of girls with private keys, they're the best ones to date.

If you send an email to a Gmail server, I'm pretty sure there's implied consent there that the server can read and process the contents of that email.

I can understand an argument being mounted about the privacy implications of Google's automatic profile-generation. But does that really constitute wiretapping, when the data was specifically transmitted to Google's mail servers in the first place? It seems a stretch to me.

"would not have necessarily understood that her e-mails were being intercepted to create user profiles or to provide targeted advertisements,

That makes sense

Quote:

"Google's theory is that all e-mail users understand and accept the fact that e-mail is automatically processed," not just for advertising but for things like spam filtering, which is vital to running a modern e-mail serviceGoogle described this class action lawsuit as an attempt to "criminalize ordinary business practices.

I don't like the idea that Google can build up a personal profile based on my emails to other people even when I myself don't use any Google services.

This. I run my own e-mail server. But 50% of all my e-mails are to my girlfriend who uses.... GMail! So half of all my e-mail messages are parsed by Google. I never consented to that. In fact, other than youtube, I use no google services. Switched to searching with bing a couple of years ago, and this sort of shenanigans was the reason why.

Convince her to get a private key. Won't stop them from analyzing metadata or the emails you've already exchanged, but it's better than nothing.

Convince a girly-girl to get something called a private key? She doesn't think any of this is a problem she needs to worry about, just like most of the rest of Internet. They gave up their privacy for little convenience.

Problem exists between keyboard and chair.

Not even keyboard an chair. I'm pretty sure this same apathetic attitude toward online privacy (what I don't see can't hurt me?) is what made real-world privacy (and even civil liberties) erosion possible. It's a fairly straightforward leap from apathy to inaction to acceptance.... right until something really bad happens to that particular individual but by then it's too late for them, and there's no help because no one else cares.

50% of all my e-mails are to my girlfriend who uses.... GMail! So half of all my e-mail messages are parsed by Google. I never consented to that.

It's been a while since I've reviewed the actual wiretap act. But it seems silly to require consent. By way of analogy, assume you send a letter to someone with a secretary. That person instructs the secretary to open and read this letter aloud. You may not have known that the secretary was reading your letter, much less consented to that. But it would be silly to say the secretary had illegally intercepted your letter, because the secretary acted with the consent of the recipient.

Likewise, when you send an e-mail to someone using Gmail, it shouldn't matter whether or not you consented. The recipient consented, and that should be enough.

Anyone with half a brain that reads the news already knows that email never dies, and whatever you wrote lives forever and can be used as evidence against you in a court of law. There are even specific email retention laws so that you can have your lawyers slap the other party if they illegally destroy email evidence. The very first thing lawyers do in a case is discovery, which entails going through the email with a fine tooth comb.

50% of all my e-mails are to my girlfriend who uses.... GMail! So half of all my e-mail messages are parsed by Google. I never consented to that.

It's been a while since I've reviewed the actual wiretap act. But it seems silly to require consent. By way of analogy, assume you send a letter to someone with a secretary. That person instructs the secretary to open and read this letter aloud. You may not have known that the secretary was reading your letter, much less consented to that. But it would be silly to say the secretary had illegally intercepted your letter, because the secretary acted with the consent of the recipient.

Likewise, when you send an e-mail to someone using Gmail, it shouldn't matter whether or not you consented. The recipient consented, and that should be enough.

Except that this is more like if the postal service started opening your mail and reading it without one or both parties consent.

My main concern is how this impacts other email providers. If processing email data is seen as "wiretapping", then there are going to be a whole lot of companies guilty of the same offence.

I run an ICT department where we have pretty strict controls over what comes in and out of our mail server. Violent, sexist and obscene content is expressly prohibited (in accordance with our legal obligations to provide a safe workplace), and we have pretty sophisticated filters in place to detect industrial espionage (we're a research business, and we've had plenty of "data leakage" in the past).

So, all email in and out is heavily processed, data is collected on a per-email-address basis, and we manually sift through email that is suspicious, before allowing it to be delivered. All emails are retained indefinitely.

Is this wiretapping? Our employees sign an ICT Policy when they join the company, agreeing to these practices, but there is no way to make every party who transmits data to our mail server agree to the same.

If Gmail is wiretapping, then so are we, and so is basically every company that operates a mail server.

It's not intuitively obvious to anyone sending email to me at "firstname@lastname.org" that they're actually sending email to a Google server to be parsed.

That information is publicly available from the domain's MX records.

An argument could be made that a nontechnical user can't access that information readily - but I'd see that as a software limitation of email clients more than a legal issue. It would be trivial to implement an email feature that displays the details about the receiving mail server before email is sent. There just doesn't seem much demand for the availability of such a feature.

It's not intuitively obvious to anyone sending email to me at "firstname@lastname.org" that they're actually sending email to a Google server to be parsed.

That information is publicly available from the domain's MX records.

An argument could be made that a nontechnical user can't access that information readily - but I'd see that as a software limitation of email clients more than a legal issue. It would be trivial to implement an email feature that displays the details about the receiving mail server before email is sent. There just doesn't seem much demand for the availability of such a feature.

In order to demand such a feature, you have to know it could exist, and if you know that much you probably have enough technical knowledge to check the MX records.

It's not intuitively obvious to anyone sending email to me at "firstname@lastname.org" that they're actually sending email to a Google server to be parsed.

That information is publicly available from the domain's MX records.

MX records are not intuitively obvious.

What difference does it make? You're sending data out addressed to some server. That server chooses to send it elsewhere, but at no point was there any contract - implied or otherwise - that it wouldn't. Unless you have an agreement with 'lastname.org' about what will be done with your email, you haven't got a leg, foot or toe to stand on.

Even an e-mail sender who read the company's privacy policies "would not have necessarily understood that her e-mails were being intercepted to create user profiles or to provide targeted advertisements," stated the judge. The plaintiffs in this case haven't consented implicitly or explicitly to have their e-mails scanned, and so the lawsuit can move forward, she ruled.

Missing something here. How are non gmail users having a user profile created for targeted advertisements? Can any of these people prove they got a more targeted ad while on google search or a google site, based on an email they sent to a gmail user?

And this also would spread to Microsoft's Hotmail as well, since they also used targeted advertisements on email before they went to outloook.

And on a more cynical note, this particular judge has her hands full with Apple and Samsung's endless motions - I doubt she actually spent more than 5 minutes on this.